I can't see how this differs from normal XSS; the server returning
unsanitized user input. Surely we don't need to classify each kind of XSS?
In PHP, I use a function to write a PHP string into JS space safely, this
works in this situation as well.
So, how does your "discovery" affect my code at all? It isn't like I
sanitize output into say, an onload event but not on a onmouseover event,
no?

> Hello Jeff!>> As I said in previous letter, Happy New Year. And thanks for your attention> to my article.>> > Do you consider yourself as an oz XSS ninja ?>> Not XSS ninja. They can't compare to me ;-).>> I just seriously do my work, when I'm researching any class of> vulnerability> (both stated and unstated in WASC TC v.1/v.2). It concerns as to XSS, as to> other classes of vulnerabilities.>> > Did your C.V. ended in the OWASP trash bin ?>> No.>> > And how the fuck you came up with a nickname like that ?>> I see you became too interested in my person and have too much free time.>> It's a long story (from December 1998 when I created my pseudonym). No need> to speak about it in security mailing list.>> > Let us know, we truly give a shit about your life, and xss.>> As I see you very like to write not serious letters. So, Jeff, take into> account, that I have already added your email to my blacklist. So for you> there is no need to worry to write me any letters.>> If you don't want to read my posts to mailing list you can do one of the> following: 1) Do not read my posts. 2) Add my email to your filters to not> receive them. 3) Unsubscribe from Full-Disclosure mailing list.>> And my recommendation for you: use your time more wiser.>> Best wishes & regards,> MustLive> Administrator of Websecurity web site> http://websecurity.com.ua>> ----- Original Message -----> From: Jeff Williams> To: MustLive> Cc: full-disclosure@lists.grok.org.uk> Sent: Monday, January 04, 2010 5:29 AM> Subject: Re: [Full-disclosure] MouseOverJacking attacks>>> Thanks for your wishes MustDie;>> Do you consider yourself as an oz XSS ninja ?>> Did your C.V. ended in the OWASP trash bin ?>> And how the fuck you came up with a nickname like that ?>>>> Let us know, we truly give a shit about your life, and xss.>> _______________________________________________> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/>